Mastering Packet Capture: When to Use Wireshark, Tcpdump, Charles, or mitmproxy

1. Overview

Both developers and testers often need to capture network packets. This article introduces efficient packet capture methods across platforms, dividing tools into two categories: proxy‑based HTTP capture (e.g., Charles, mitmproxy) and raw network capture (e.g., Wireshark, tcpdump).

2. Wireshark

Wireshark is a cross‑platform GUI tool that captures all protocols on a selected network interface. It is powerful but can overwhelm beginners because of the massive amount of data. Users must learn its filter syntax to isolate relevant packets.

Simple Filter Syntax

Filters start with a protocol name followed by attributes and operators such as contains ,

==

,

>

,

<

. For example, entering

http

shows only HTTP traffic.

To filter HTTP requests whose URI contains “/api”:

To filter by destination or source IP, use the IP protocol fields, e.g.:

Wireshark also provides an expression builder to list supported protocols and their fields.

Pros

Powerful: captures all protocol packets.

Captured packets are easy to analyze.

Cons

Cannot run on headless servers (requires GUI).

Cannot directly analyze encrypted HTTPS traffic; decryption is possible but complex.

3. Tcpdump

Tcpdump is a command‑line packet capture tool built into Linux (and available on macOS). It captures all protocols on a chosen interface, but the raw output is hard to read, so users often save captures to a file and analyze them later with Wireshark.

Basic Usage

<code># Capture on a specific interface (eth1)
tcpdump -i eth1
# Capture traffic to www.baidu.com
tcpdump host www.baidu.com
# Capture traffic between nn1 and nn2 or nn3
tcpdump host nn1 and \( nn2 or nn3 \)
# Capture packets from nn1 not to nn2
tcpdump ip host nn1 and not nn2
# Capture packets sent from nn1
tcpdump -i eth0 src host nn1
# Capture packets destined for nn1
tcpdump -i eth0 dst host nn1
# Capture TCP port 23 traffic to host 210.27.48.1
tcpdump tcp port 23 and host 210.27.48.1
</code>

Save captured packets to a file:

<code>tcpdump -i en0 -w test.cap</code>

Open the file later with Wireshark for visual analysis.

Read a saved capture:

<code>tcpdump -r test.cap</code>

Pros

Powerful and can capture any protocol.

Available on all Linux servers without extra installation.

Cons

Analysis is difficult without Wireshark.

Cannot directly analyze HTTPS traffic.

4. Charles

Charles is an HTTP proxy tool. By configuring the system or browser proxy to point to Charles, all HTTP requests pass through it and are recorded. The GUI allows easy inspection of request/response details.

HTTPS traffic appears as “unknown” because it is encrypted; installing Charles’s root certificate enables decryption and inspection.

Pros

Simple to use; just set the proxy address.

HTTPS decryption is straightforward after installing the certificate.

Cons

Only supports HTTP/HTTPS proxy capture.

5. mitmproxy

mitmproxy is a Python‑based HTTP proxy tool. It runs in the command line but also provides a web UI (mitmweb). Users can write plugins to intercept, modify, or replay requests.

Installation

Install Python 3 and pip3, then:

<code>pip3 install mitmproxy</code>

If you encounter

ModuleNotFoundError: No module named '_ssl'

, install OpenSSL development packages and rebuild Python 3 before reinstalling mitmproxy.

<code>yum install openssl-devel bzip2-devel expat-devel gdbm-devel readline-devel sqlite-devel gcc gcc-c++
make && make install
pip3 install mitmproxy</code>

Usage

Start the interactive console:

<code>mitmproxy</code>

The tool listens on port 8080 by default; configure your browser to use this proxy. Requests are displayed in the console and can be filtered, intercepted, edited, or replayed using shortcut keys.

Common shortcuts:

1. Request Filtering

Press

f

and type a filter expression.

2. Request Interception

Press

i

to pause a matching request, edit it, then resume with

a

(single) or

A

(all).

3. View/Edit Request

Enter a request and press

Enter

to view details; press

e

to edit parts of the request.

4. Replay Request

Press

r

to resend a request, optionally after editing.

Use the

replay.client

command for bulk replay based on filter rules.

5. Plugin Development

Write a Python plugin and run mitmproxy with

-s

to load it. Example:

<code>from mitmproxy import ctx

class Counter:
    def __init__(self):
        self.num = 0
    def request(self, flow):
        self.num += 1
        ctx.log.info("We've seen %d flows" % self.num)

addons = [Counter()]
</code>

Run with

mitmproxy -s test.py

to activate the plugin.

6. Save Captured Data

Press

w

to write captured flows to a file; later read with

mitmproxy -r file

.

Pros

Command‑line operation works on headless servers.

Supports HTTPS decryption after installing its certificate.

Beyond capture: interception, modification, and replay.

Cons

Only captures HTTP/HTTPS traffic.

6. Conclusion

Choosing the right tool depends on the scenario:

For pure HTTP capture, mitmproxy offers rich features and workflow automation.

On headless production servers, tcpdump is the safest choice; export captures for analysis with Wireshark.

To capture non‑HTTP protocols, Wireshark provides the most comprehensive solution.

Charles is largely superseded by mitmproxy for most HTTP debugging needs.